topic Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback in Application Development and Automation Discussions

Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Mon, 29 Sep 2008 21:04:45 GMT

Hi,

I've custom login module where I'm trying to read the existing SSO ticket and re authenticate and validate it if for returning users. For some reason I was not able to get the Cookie value using HttpGetterCallback. Here is the code I'm calling with my Code.

HttpGetterCallback getterCallback = new HttpGetterCallback();

getterCallback.setType(HttpCallback.COOKIE);

getterCallback.setName("MYSAPSSO2");

String token = (String)getterCallback.getValue();

This always returns null I see in the browser there do exists a cookie. Am I doing something wrong here. Any help is really appreciated.

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Mon, 29 Sep 2008 21:44:00 GMT

Joe,

Why can't you use EvaluateTicketLoginModule to check SSO2 ticket for returning users ?

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Mon, 29 Sep 2008 21:49:05 GMT

Hi,

Thanks for responding to my post, I have a custom redirect URL with in my custom module where it redirects the users after authenticating, Though I'm using EvaluateTicketModule I can't customize that module to redirect users to custom URL and above that if I customize it that will impact the J2EE_Admin login.

Thanks,

joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Mon, 29 Sep 2008 21:52:15 GMT

Joe,

I would suggest you use EvaluateTicketLoginModule and write a new customer login module which redirects and then use flags in the authetication stack to trigger the custom login module to redirect based on return code from the EvaluateTicketLoginModule. This would be better than trying to re-code a login module written by SAP which is already available and widely tested/used.

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Mon, 29 Sep 2008 22:30:21 GMT

Tim,

So you were saying that I can call EvaluateTicketModule with my custom code to get the flag of that module. Is there any API documentation for this Module if so could you please piont me to the link if you know of any.

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Tue, 30 Sep 2008 07:18:53 GMT

Joe,

No, I wasn't suggesting that your code calls the EvaluateTicketLoginModule. I was suggesting that you configure this login module in the authentication stack so it is called by NetWeaver before your login module is invoked, and then you can use auth stack flags to get NetWeaver to trigger your login module based on whether the EvaluateTicketLoginModule is successful or fails.

You might want to look in SAP help library for details of login module stacks. For example: http://help.sap.com/erp2005_ehp_03/helpdata/EN/20/f66e424925c253e10000000a1550b0/frameset.htm

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Tue, 30 Sep 2008 11:24:53 GMT

Tim,

The flags that I have set in the stack are

EvaluateTicketLoginModule Sufficient

MyCustomModule Requisite

CreateTicketLoginModule Optional

In fact I'm not creating tickets in my custom module I have custom logic to check some URL parameters, all I'm doing in my code is for returning users, if the cookie is out there I simply redirect to my custom page.

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Tue, 30 Sep 2008 11:37:12 GMT

Joe,

Since you are using "Sufficient" for the EvaluateTicketLoginModule, when the user is returning this login module will return true and no other login modules will be invoked. So, if you expect to have special processing for returning users this is not possible using Sufficient flag.

I am trying to understand the overall requirement / use case, to understand what you are trying to acheive with your login module because it seems strange to want to redirect a user when they return to the application after their initial login. My company has a use case where redirection is required in order to support web-based applications on ABAP systems, and we do that with a servlet that triggers UME authentication and has parameters which are passed to it so it knows where to redirect to - this is best approach for such needs, not to code redirection in a login module.

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Tue, 30 Sep 2008 11:47:08 GMT

Tim,

Sorry I shouldn't have said redirect. Here is my use case. I have web portal which is not running on SAP that's one some 3rd party portal. When some one clicks a link that request will be sent to Java WAS on NetWeaver so here I have a custom module to authenticate the encrypted string that's been sent from the portal and if its valid will let them access ABAP screens (WebGui).

Portal -

> Java -

> ABAP (GUI)

So let's say when a user closes the child window that opens when they click on the link, and trying to access the same link again in this case since the parent browser is not closed the cookie still exists on the browser, in this scenario it should take them to the ABAP screens since the cookie is already out there but I do get blank page. Since my custom code is sending them to ABAP screens after checking in this case it's not behaving the same.

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Tue, 30 Sep 2008 11:54:49 GMT

Joe,

Thankyou. This explanation is very useful.

Instead of redirecting to the Java engine and then to ABAP where Webgui is running, I suggest you use the following approach.

1. When portal user needs to access Webgui, redirect them to the Webgui URL

2. In t-code SICF in ABAP system, configure the error page for Webgui service so that if SSO2 cookie is not provided it will redirect them to the Java engine (to a servlet where you pass parameter telling location of webgui). Then, when they return they will be setn back to the Webgui service in ABAP stack and the SSO2 ticket will be recognised and accepted by ABAP system. Once completed the servlet will redirect them back to webgui using the parameter passed when it was called from the ICF error page configurated in Webgui service.

The above approach will work. I know because i have used it many times to acheive the same, and will work with any authentication method, not just your own which validates the encrypted message from portal.

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Tue, 30 Sep 2008 12:05:13 GMT

Tim,

This approach won't work in my case since our Landscape is configured in such a way all the requests will always go to Java Instance first and then it will be sent to ABAP. So the Apache/Dispatcher will always sends it to Java from there when the redirect triggers it will be sent to ABAP thru the SAP dispatcher and also our ABAP and JAVA instances are running on separate servers. To go with your approach the whole landscape will have to change.

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

tim_alsop — Tue, 30 Sep 2008 12:09:22 GMT

Joe,

ok, but I think you will have extreme difficulty if you try to analyse the SSO2 ticket as you have suggested. It is far better to use standard techniques to handle returning users and not do it the way you are trying at moment.

Also, I know that in future SAP are planning to provide a standards based replacement for the SSO2 ticket, using SAML Tokens, and when this happens your approach will not work, but my approach will work fine and will not require any changes to any code.

I cannot think of any alternative based on what you have mentioned, so I think you should consider redirecting the user to the required application URL instead of redirecting them somewhere which is only valid for the initial login (e.g. when no SSO2 ticket is present).

Thanks,

Tim

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Thu, 02 Oct 2008 13:48:46 GMT

Tim,

Thanks for your help. I was able to read the cookies,

instead of calling the constant provide with in the HttpCallback I'm went with this approach which helped me

HttpGetterCallback((byte) 2))

Thanks,

Joe.P

Re: Reading MYSAPSSO2 Cookie using HttpGetterCallback

Former Member — Mon, 15 Dec 2008 07:35:11 GMT

Hi Joe,

I am also trying to read the existing SSO ticket in an customized login module, but also encountered the same problem.

Here is my login module stack configuration:

EvaluateTicketLoginModule SUFFICIENT

BasicPasswordLoginModule REQUISITE

CreateTicketLoginModule OPTIONAL

MyLoginModule OPTIONAL

I've put the following lines in the commit() method of MyLoginModule class:

HttpGetterCallback sapTicketGetterCallback = new HttpGetterCallback();

sapTicketGetterCallback.setType((byte)2);

sapTicketGetterCallback.setName("MYSAPSSO2");

String sapTicketValue = (String)sapTicketGetterCallback.getValue();

The MYSAPSSO2 ticket does exist in browser but sapTicketValue always return null...

Any advice would be very very appreciated. Thanks in advance.